Panned on SIFIs, council wins support for cyber guidelines

Insurers have not been pleased with the Financial Stability Oversight Council's designation of certain companies as systemically important financial institutions, but insurers do favor the panel's proposals when it comes to cyber security.

FSOC's cyber security recommendations are a step in the right direction since they seek to enhance sharing of information, a goal insurers and other businesses share.

In its annual report late last month, FSOC said “financial services sector companies and industry groups, executive branch agencies, financial regulators and others have made notable progress in improving cyber security and resilience throughout the system.”

“Continuing to advance these and other efforts should remain a top priority for business and government leaders,” and several cyber-related proposals build on last year's recommendations, FSOC said.

Among other things, the federal agency recommended that the U.S. departments of Treasury, Homeland Security, Justice and Defense, as well as financial regulators, “strongly support efforts to implement” the Cybersecurity Information Sharing Act of 2015, which promotes information sharing on data breaches.

In addition, FSOC recommended that financial regulators “endeavor to establish a common risk-based approach to assess cyber security and resilience at the firms they regulate.”

FSOC recommended that agencies and financial companies “further explore how best to concurrently manage the financial stability and technical impacts of a significant cyber security incident. Ultimately, effective response to a significant cyber security incident affecting the financial services sector will depend on technical, financial stability and business response efforts,” according to the report.

“It seems like they're pretty conventional recommendations; they are conventional, but they still are nonetheless important,” said Alex Hageli, director of personal lines policy at the Property Casualty Insurers Association of America in Chicago.

“It's important to get it right so there's true information sharing. We supported passage of CISA and we're hopeful it will realize its potential.” Mr. Hageli said.

“FSOC seemed to mention the benefits that information sharing gives to government, but we also believe it can empower the private sector to become more cyber-resilient,” said Angela Gleason, associate counsel at the Washington-based American Insurance Association, which supports sharing data breach information.

An observer also welcomed the recommendations.

“The FSOC's encouragement of more 'full scope' information sharing provides welcome momentum to discussions about which risk controls deliver the most cyber security bang for the buck — a key open question for many organizations that struggle to effectively implement available frameworks, regulations and standards,” Tom Finan, chief strategy officer at Ark Network Security Solutions L.L.C. in Dulles, Virginia, said in an email.

“Platforms to identify such community-endorsed controls are sorely needed,” said Mr. Finan, who previously was senior cyber security strategist and counsel with the Department of Homeland Security's national protection and programs directorate. The Department of Homeland Security's Cyber Incident Data and Analysis Working Group “recently blazed an initial trail on this very topic that both the private and public sectors are actively pursuing,” he said.